Knowledge base

Self-service support

Application black/whitelisting for iOS

April 02, 2020 00:29

This article describes Miradore's application blacklist and whitelist configuration profiles for iOS that can be used by Enterprise Plan customers to deny users from installing and launching configured applications. If you're interested in application black/whitelisting and application management in general, consider upgrading your site to the Enterprise Plan. See more in How to upgrade subscription for further information.

Requirements

Active Enterprise Plan subscription or trial

Available in iOS 9.3 and later. Requires that devices are Supervised. The most convenient way to get devices into Supervised mode is to enroll them through the Apple Device Enrollment Program.

What does application blacklisting or whitelisting mean?

Application blacklisting means that the defined applications cannot be installed to a target device. If a blacklisted application is already installed, it is blocked and cannot be started. Blacklisted applications are removed from the home screen of the device.

Application whitelisting means that all applications, except the ones explicitly defined, are blocked and their icons are removed from the home screen of your iOS device. The end-user can only install or use those applications that have explicitly been defined.

Application black/whitelisting for iOS applies also to the installed system applications, except for the Settings application. If you wish to deny the user from using, for example, Mail, App Store or Safari apps, add their identifiers to the list of blacklisted applications. Respectively, you must add system applications to the whitelist if you wish to allow users to use them, otherwise they will be blocked.

Here is a list of IDs for Apple's default apps:

App Store - com.apple.AppStore

Calculator - com.apple.calculator

Calendar - com.apple.mobilecal

Camera - com.apple.camera

Clock - com.apple.mobiletimer

Compass - com.apple.compass

Contacts - com.apple.MobileAddressBook

FaceTime - com.apple.facetime

Find Friends - com.apple.mobileme.fmf1

Find iPhone - com.apple.mobileme.fmip1

Find My - com.apple.findmy

Game Center - com.apple.gamecenter

Health - com.apple.Health

iBooks - com.apple.iBooks

iTunes Store - com.apple.MobileStore

Mail - com.apple.mobilemail

Maps - com.apple.Maps

Messages - com.apple.MobileSMS

Music - com.apple.Music

News - com.apple.news

Notes - com.apple.mobilenotes

Photos - com.apple.mobileslideshow

Photo Booth - com.apple.Photo-Booth

Podcasts - com.apple.podcasts

Reminders - com.apple.reminders

Safari - com.apple.mobilesafari

Shortcuts - com.apple.shortcuts

Stocks - com.apple.stocks

Tips - com.apple.tips

Videos - com.apple.videos

Voice Memos - com.apple.VoiceMemos

Wallet - com.apple.Passbook

Watch - com.apple.Bridge

Weather - com.apple.weather

You can have multiple blacklist and whitelist profiles deployed to the device and the end result will be an union of the restrictions where deny rule (blacklist) is stronger than the allow rule (whitelist). For example:

If you deploy a whitelist profile you can later on deny the use of certain apps allowed by it, by deploying a blacklist.

If you deploy two whitelist profiles, only the ones allowed by both of the profiles will be allowed.

If you deploy two blacklist profiles, all applications defined in either one of these are banned.

If you deploy a whitelist profile with only one application the user can only use this application and the built-in Settings. In other words, a whitelist profile can be used like a kiosk mode to effectively block unauthorized use of a device.

*Note* Bundle ID's are case sensitive

How to deploy an application blacklist or whitelist configuration to a device

First you need to create a new configuration profile and define the applications that are denied (blacklist) or allowed (whitelist). The process of creating application blacklist and whitelist configurations is identical, so we will only use the blacklist configuration as an example.

Start by navigating to Mobile management > Configuration profiles and start the Create configuration profile action from the page action menu. See Creating a configuration profile for more details.

When creating the profile you have to define the denied applications. Applications are identified by application specific bundle identifiers. Add applications by defining the bundle identifier (com.company.app), App Store ID (https://itunes.apple.com/us/app/miradore-online-client/id1052678054) or App Store URL (https://itunes.apple.com/us/app/miradore-online-client/id1052678054) of the application and click Add. You can add as many applications as you want. When you've added all the applications you want, press Next.

Once the blacklist configuration profile has been created, administrators can deploy it to all supported iOS 9.3 devices that are Supervised. See more in Deploying a configuration profile for further information. After the profile has been successfully deployed, the defined applications can no longer be used or installed and their icons are removed from the home screen.

How to disable application blacklist/whitelist configurations

Application blacklists and whitelists can be disabled by simply deleting the deployed configuration profile from the device. This can be done by opening the device page and clicking the trashcan icon in the Configuration profiles table. See Removing deployed configuration profiles for further information.

Frequently asked questions (FAQ)

Q. Can I block system applications?

A. Yes you can. Just add application identifiers to the configuration. Only the Settings application can't be blocked.

Q. Can I block In-house applications?

A. Yes you can. Just add application bundle identifiers to the configuration.